Port forwarding not working

Newplay · January 16, 2023, 11:33am

Hello,

I would like to set up three port forwarding on the router, unfortunately it does not work.
What am I doing wrong?
Here once my config:

# jan/16/2023 12:30:51 by RouterOS 7.7
# software id = 8RC1-JJFZ
#
# model = CRS125-24G-1S
# serial number = 5A8C0513D7D9
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=Internet
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=aXXXXXX.sn.mynetname.net exchange-mode=ike2 name=Aschendorf
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc \
    pfs-group=modp2048
/ip kid-control
add fri="" mon=5h-5h1m name="Gerate ohne Internet " rate-limit=1K sat="" sun=\
    "" thu="" tue="" wed=""
/ip pool
add name=dhcp ranges=192.168.30.10-192.168.30.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=3d name=dhcp1
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE use-mpls=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    profile=default-encryption user=XXXXXXXXXXXXXXXX@t-online.de
/queue type
add kind=fq-codel name=FQ-Codel
/queue simple
add max-limit=70M/30M name=queue1 packet-marks=no-mark queue=\
    FQ-Codel/FQ-Codel target=pppoe-out1 total-queue=FQ-Codel
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp1
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=192.168.30.0/24 endpoint-address=192.168.31.2 \
    endpoint-port=51820 interface=wireguard1 persistent-keepalive=25s \
    public-key="XXXXXXXXXXXXXX"
/ip address
add address=192.168.30.1/24 interface=bridge1 network=192.168.30.0
add address=192.168.31.1 disabled=yes interface=wireguard1 network=\
    192.168.31.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.30.200 client-id=1:7c:10:c9:83:4a:47 comment=Dirk-PC \
    mac-address=7C:10:C9:83:4A:47 server=dhcp1
add address=192.168.30.199 client-id=1:0:11:32:88:99:e6 comment=\
    "Synology NAS" mac-address=00:11:32:88:99:E6 server=dhcp1
add address=192.168.30.197 client-id=1:50:e6:36:76:d8:d comment=\
    "fritzbox 7590ax" mac-address=50:E6:36:76:D8:0D server=dhcp1
add address=192.168.30.195 client-id=1:3c:2a:f4:9e:5f:b7 comment=\
    "Brother Drucker" mac-address=3C:2A:F4:9E:5F:B7 server=dhcp1
add address=192.168.30.183 mac-address=00:17:88:6B:0C:0F server=dhcp1
/ip dhcp-server network
add address=192.168.30.0/24 caps-manager=192.168.30.1 dns-server=\
    192.168.30.1,8.8.8.8 gateway=192.168.30.1 netmask=24 ntp-server=\
    192.168.30.1 wins-server=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.30.197 name=fritz.local
add address=192.168.30.181 name=ps3.lars
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.30.2-192.168.30.254 list=allowed_to_routerto_router
add address=192.168.30.0/24 list=lan_ip
add address=192.168.20.0/24 list=lan_ip
add address=192.168.10.0/24 list=lan_ip
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=accept chain=input comment=Default connection-state=\
    established,related
add action=accept chain=input src-address-list=allowed_to_routerto_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=jump chain=forward comment="Zu ICMP Rules" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not Public Addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN \
    out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming that are not NATted" \
    connection-nat-state=dstnat connection-state=new in-interface=all-ppp \
    log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" disabled=yes \
    in-interface=ether1 log=yes log-prefix=!public src-address-list=\
    not_in_internet
add action=drop chain=forward comment="Drop from LAN that do not have LAN IP" \
    in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address-list=!lan_ip
add action=accept chain=icmp comment="ICMP List" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp icmp-options=3:0 protocol=icmp
add action=accept chain=icmp icmp-options=3:1 protocol=icmp
add action=accept chain=icmp icmp-options=3:4 protocol=icmp
add action=accept chain=icmp icmp-options=8:0 protocol=icmp
add action=accept chain=icmp icmp-options=11:0 protocol=icmp
add action=accept chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=icmp protocol=icmp
/ip firewall nat
add action=dst-nat chain=dstnat comment="Zu Fritzbox" dst-port=44695 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.30.197 to-ports=\
    44695
add action=dst-nat chain=dstnat comment="Zu Proxy" dst-port=443 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.30.171 to-ports=4434
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.30.171 to-ports=8080
add action=accept chain=srcnat comment=VPN dst-address=192.168.20.0/24 \
    src-address=192.168.30.0/24
add action=dst-nat chain=dstnat comment="Vault Backup" dst-port=6281 \
    protocol=tcp to-addresses=192.168.30.199 to-ports=6281
add action=masquerade chain=srcnat comment=Main out-interface-list=WAN
/ip ipsec identity
add peer=Aschendorf
/ip ipsec mode-config
add address-pool=*2 name=vpndhcp
/ip ipsec policy
add dst-address=192.168.20.0/24 peer=Aschendorf src-address=192.168.30.0/24 \
    tunnel=yes
/ip kid-control device
add mac-address=00:1F:A7:7C:CF:CD name=PlayStation3 user=\
    "Gerate ohne Internet "
/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=192.168.30.174 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.20.0/24 gateway=192.168.30.174 \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.30.0/24 disabled=yes
set ssh disabled=yes
set www-ssl certificate=SSL-Webseite
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge1 type=internal
/lcd interface pages
set 0 interfaces=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/ppp secret
add name=vpn profile=default-encryption
add name=vpn2 profile=default-encryption
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes

mkx · January 16, 2023, 11:49am

Firewall rule, which is (in default setups) supposed to accept DST-NATed traffic, doesn’t seem to be correct in your config:

add action=drop chain=forward comment=“Drop incoming that are not NATted”
connection-nat-state=dstnat connection-state=new > in-interface=all-ppp >
log=yes log-prefix=!NAT

The rest of config (as I could quickly assess) use ether1 as WAN interface.

Newplay · January 16, 2023, 4:20pm

I changed it but it still doesn’t work. In addition, the counters for the NAT entries always remain at 0, although traffic should actually come on port 80 and 443. If I try to access the device behind the router from the outside with the external IP and the port (44695), the error message appears:
ERR_CONNECTION_REFUSED

mkx · January 16, 2023, 4:31pm

Where is you device from which you’re trying to connnect? In internet or in your LAN?

Newplay · January 16, 2023, 4:52pm

In the Internet

mkx · January 16, 2023, 4:59pm

To verify that your router actually receives incoming packets, add these rules to firewall and push them to the top:

add chain=forward action=passthrough protocol=tcp dst-port=44695
add chain=input action=passthrough protocol=tcp dst-port=44695

If the stat number for both rules remain zero, then something upstream (ISP) is blocking it. If stats for chain=input increase, then DST-NAT rule fails to catch it. If stats for chain=forward increase, then we’ll have to trace packets through firewall rules to see which one interfers …

anav · January 16, 2023, 5:29pm

Besides your wireguard settings being all wrong,

Your use of ether1 or all-ppp is incorrect.

The interface name you should be using is pppoe-out1

Newplay · January 16, 2023, 7:18pm

Yes I know, please ignore xD.
I’m too lazy to throw this out.
Wireguard should also not be actively used.

Newplay · January 16, 2023, 7:26pm

To verify that your router actually receives incoming packets, add these rules to firewall and push them to the top:
add chain=forward action=passthrough protocol=tcp dst-port=44695
add chain=input action=passthrough protocol=tcp dst-port=44695
If the stat number for both rules remain zero, then something upstream (ISP) is blocking it. If stats for chain=input increase, then DST-NAT rule fails to catch it. If stats for chain=forward increase, then we’ll have to trace packets through firewall rules to see which one interfers …

the number of the second rule, the input rule, increases.
I can now drag them down to here as far as possible (see code block below) and if I drag them further down no new packets arrive. How do I have to edit the last rule so that it no longer blocks the requests?

/ip firewall filter
add chain=forward action=passthrough protocol=tcp dst-port=44695
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=accept chain=input comment=Default connection-state=\
    established,related
add action=accept chain=input src-address-list=allowed_to_routerto_router
add action=accept chain=input protocol=icmp
[XX]add action=drop chain=input[XX]

The rule with the [XX] is the one after it stops working

mkx · January 16, 2023, 8:04pm

As second rule counts packets this means that

add action=dst-nat chain=dstnat comment="Zu Fritzbox" dst-port=44695 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.30.197 to-ports=\
    44695

isn’t correct.

The only “selector” property present in your NAT rule which is not in firewall rule is in-interface=ether1 which means that logical WAN interface is not ether1.

As @anav noted, it’s very likely that actual WAN interface is pppoe-out1 . OTOH default config uses nice thing: interface list. The ultimate NAT rule (SRC NAT with action=masquerade) uses it, so why don’t you use it in SRC NAT rules (with distinction that it’s in-interface-list). I missed this important detail when I quickly went through config.